When attempting to run "/etc/init.d/iptables save" for the first time (i.e., no existing rules-save), it fails to create the file "/var/lib/iptables/rules-save". Filtering the selinux denials through audit2allow gives the following needed permissions:

So then I manually created the save file with "touch /var/lib/iptables/rules-save" and verified that it's context is: root:object_r:iptables_var_lib_t. Re-running "iptables save" still fails, giving this needed permission:

allow initrc_t iptables_var_lib_t:file { write };

If I execute "iptables-save > /var/lib/iptables/rules-save", the binary works correctly with no denials. Further, rebooting successfully starts /etc/init.d/iptables and correctly restores the iptables rules.

Since "iptables -L" appears to run correctly but gives a bunch of "var_t:dir { search }" denials as well, I believe a dontaudit will solve that problem, but the other problem looks like a failure of initrc_t to transition to the correct domain.